Hi
I have a major problem for 3 of my websites:
www.wezen-vrienden.be
www.begrafenissenbruyland.be
www.vanisrael.be

They appear to be hacked, I received a message from the hosting provider. Wezen-vrienden is currently offline. I cannot access any of the admin panels!
Can anyone help me out with this? This is the first time that some of my sites have been hacked and I don't really know what to do.
They have sent me all the files that have been affected. Should I just delete these files? HELP!

Greetings
Stefanie

Hi Stefanie,

To get the sites back up as soon as possible you could go through the list of infected files and replace them with the originals (Or rename them if they shouldn't exist) and then ask your host to put the site back online so you can access them.

For a complete clean, I usually take a backup of the site as it is to install locally. Then install a blank copy of Joomla to another folder and attach it to the database of the hacked site.
Then, in the clean version, reinstall clean versions of all the extensions you have installed on the site and replace your images folder (Making sure it only contains images).

You can then check through the clean site, make sure everything is the latest version (and probably install a firewall), back it up and use it to replace the live version.

If you would like us to do this for you, it usually takes around an hour per site, which we could do as custom support blocks (Which you can purchase through your profile page). If you would like to take that route then please open a support ticket referencing this thread.

Regards,

Rob

Hi Rob

Thanks for your reply. I found the infected files and replaced them with the files I had in my local files. I can now acces the backend of begrafenissenbruyland.be, but it is not fully operational.
If I try to access the control panel, I get error 1 (see attached), if I try to open the general setting I get another error (see attached).
I can see the modules and adapt the content, but I can't open any articles..So there must be some issues still. I asked the host to run another scan to see what's wrong.
Stefanie

Hi,

It's likely that some core files have been modified.

If you download the full joomla package (the same version that you have installed), you can use it to replace all the core files.

In the Joomla zip file, you would want to remove the installation directory as you would get the install screen if you uploaded that folder to the site.

Bear in mind that fixing these files doesn't fix the issues with how the sites were originally hacked. Also, if there are any hacked files left in the hosting account, you can sometimes find that they reinfect the files that you are currently fixing.

Regards,

Rob

I would highly recommend trying out the myjoomla service ...
myjoomla.com/

They have good tools for identifying server issues.
Thanks

Thanks, will check it out!

I solved the issues for 2 websites by replacing the Joomla-files and resetting all the passwords. There is 1 website where it didn't work: www.wezen-vrienden.be. The site is back online, but I can't access the admin panel:

Fatal error: Call to undefined method UsersHelper::getTwoFactorMethods() in /opt/www/kbbcwezenvriend/web/www.wezen-vrienden.be/administrator/modules/mod_login/helper.php on line 85

I replaced the joomla-files, removed the infected files..without any luck!

It sounds like you are missing some files related to user authentication.

Please remember that replacing the core files is only a temporary fix. It doesn't clean the site and won't remove any possible backdoors that have been added by hackers.

Hi Rob

Since the site www.vanisrael.be has been hacked AGAIN, despite all my efforts to clean things up, I believe this cleanup is a good idea. However, I can't open a new ticket. Can you help me out?

A ticket on the Joomla Bamboo system?

Yes, in order to help me out with the cleanup of the website..

Hi

Can you try now?

Thanks
Paul